This is documentation for the next version of Grafana documentation. For the latest stable release, go to the latest version.

Grafana Cloud Enterprise

Configure SCIM provisioning

System for Cross-domain Identity Management (SCIM) is an open standard that allows automated user provisioning and management. With SCIM, you can automate the provisioning of users and groups from your identity provider to Grafana.

Note

Available in Grafana Enterprise and select Grafana Cloud plans in public preview. Grafana Labs offers limited support, and breaking changes might occur prior to the feature being made generally available.

This feature is behind the enableSCIM feature toggle. You can enable feature toggles through configuration file or environment variables.

For more information, refer to the feature toggles documentation.

Warning

Public Preview: SCIM provisioning is currently in Public Preview. While functional, the feature is actively being refined and may undergo changes. We recommend thorough testing in non-production environments before deploying to production systems.

Benefits

Note

SCIM provisioning only works with SAML authentication. Other authentication methods aren’t supported.

SCIM offers several advantages for managing users and teams in Grafana:

  • Automated user provisioning: Automatically create, update, and disable users in Grafana when changes occur in your identity provider
  • Automated team lifecycle management: Automatically create teams when new groups are added, update team memberships, and delete teams when groups are removed from your identity provider
  • Reduced administrative overhead: Eliminate manual user management tasks and reduce the risk of human error
  • Enhanced security: Automatically disable access when users leave your organization

Authentication and access requirements

Warning

When using SAML for authentication alongside SCIM provisioning, a critical security measure is to ensure proper alignment between the the SCIM user’s externalId and the SAML user identifier. The unique identifier used for SCIM provisioning (which becomes the externalId in Grafana, often sourced from a stable IdP attribute like Entra ID’s user.objectid) must also be sent as a claim in the SAML assertion from your Identity Provider. Furthermore, the Grafana SAML configuration must be correctly set up to identify and use this specific claim for linking the authenticated SAML user to their SCIM-provisioned user. This can be achieved by either ensuring the primary SAML login identifier by using the assertion_attribute_external_uid setting in Grafana to explicitly set the name of the SAML claim that contains the stable unique identifier attribute.

Why is this important? A mismatch or inconsistent mapping between this SAML login identifier and the SCIM externalId creates a critical security vulnerability. If these two identifiers are not reliably and uniquely aligned for each individual user, Grafana may fail to correctly link an authenticated SAML session to the intended SCIM-provisioned user profile and its associated permissions. This can enable a malicious actor to impersonate another user—for instance, by crafting a SAML assertion that, due to the identifier misalignment, incorrectly grants them the access rights of the targeted user.

Grafana relies on this linkage to correctly associate the authenticated user from SAML with the provisioned user from SCIM. Failure to ensure a consistent and unique identifier across both systems can break this linkage, leading to incorrect user mapping and potential unauthorized access.

Always verify that your SAML identity provider is configured to send a stable, unique user identifier that your SCIM configuration maps to externalId. Refer to your identity provider’s documentation and the specific Grafana SCIM integration guides (e.g., for Entra ID or Okta) for detailed instructions on configuring these attributes correctly.

When you enable SCIM in Grafana, the following requirements and restrictions apply:

  1. Use the same identity provider for user provisioning and for authentication flow: You must use the same identity provider for both authentication and user provisioning.

  2. Security restriction: When using SAML, the login authentication flow requires the SAML assertion exchange between the Identity Provider and Grafana to include the userUID SAML assertion with the user’s unique identifier at the Identity Provider.

    • Configure userUID SAML assertion in Entra ID
    • Configure userUID SAML assertion in Okta

Configure SCIM using the Grafana user interface

You can configure SCIM in Grafana using the Grafana user interface. To do this, navigate to Administration > Authentication > SCIM.

The Grafana SCIM UI provides the following advantages over configuring SCIM in the Grafana configuration file:

  • It is accessible by Grafana Cloud users
  • It doesn’t require Grafana to be restarted after a configuration update
  • Using the authentication settings permission allows us to restrict Grafana’s access scope rather than relying on an overly permissive role such as Admin.

Note

Any configuration changes made through the Grafana user interface (UI) will take precedence over settings specified in the Grafana configuration file or through environment variables. This means that if you modify any configuration settings in the UI, they will override any corresponding settings set via environment variables or defined in the configuration file.

Configure SCIM settings

Sign in to Grafana and navigate to Administration > Authentication > SCIM. Here you can configure the following settings:

SettingRequiredDescriptionDefault
Enable Group SyncNoEnable SCIM group provisioning. When enabled, Grafana will create, update, and delete teams based on SCIM requests from your identity provider. Cannot be enabled if Team Sync is enabled.false
Reject Non-Provisioned UsersNoWhen enabled, prevents non-SCIM provisioned users from signing in. Cloud Portal users can always sign in regardless of this setting.false
Enable User SyncYesEnable SCIM user provisioning. When enabled, Grafana will create, update, and deactivate users based on SCIM requests from your identity provider.false

The SCIM UI also displays information that may help you configure SCIM in your identity provider, including stack domain, stack ID, and tenant URL.

Next steps

After configuring SCIM in Grafana, configure your identity provider:

Configure SCIM using the configuration file

The table below describes all SCIM configuration options. Like any other Grafana configuration, you can apply these options as environment variables.

SettingRequiredDescriptionDefault
user_sync_enabledYesEnable SCIM user provisioning. When enabled, Grafana will create, update, and deactivate users based on SCIM requests from your identity provider.false
group_sync_enabledNoEnable SCIM group provisioning. When enabled, Grafana will create, update, and delete teams based on SCIM requests from your identity provider. Cannot be enabled if Team Sync is enabled.false
reject_non_provisioned_usersNoWhen enabled, prevents non-SCIM provisioned users from signing in. Cloud Portal users can always sign in regardless of this setting.false

Warning

Team Sync Compatibility:

  • SCIM group sync (group_sync_enabled = true) and Team Sync cannot be enabled simultaneously
  • You can use SCIM user sync (user_sync_enabled = true) alongside Team Sync
  • For more details about migration and compatibility, see SCIM vs Team Sync

Example SCIM configuration

ini
[auth.scim]
user_sync_enabled = true
group_sync_enabled = false
reject_non_provisioned_users = false

Configure SCIM using Terraform

You can also configure SCIM provisioning in Grafana using the Grafana Terraform provider. This approach is particularly useful for infrastructure-as-code deployments and automated provisioning.

Terraform SCIM configuration example

hcl
resource "grafana_scim_config" "scim_config" {
  user_sync_enabled            = true
  group_sync_enabled           = false
  reject_non_provisioned_users = false
}

Terraform SCIM configuration options

The Terraform grafana_scim_config resource supports the same configuration options as the manual configuration:

SettingRequiredDescriptionDefault
user_sync_enabledYesEnable SCIM user provisioning. When enabled, Grafana will create, update, and deactivate users based on SCIM requests from your identity provider.false
group_sync_enabledNoEnable SCIM group provisioning. When enabled, Grafana will create, update, and delete teams based on SCIM requests from your identity provider. Cannot be enabled if Team Sync is enabled.false
reject_non_provisioned_usersNoWhen enabled, prevents non-SCIM provisioned users from signing in. Cloud Portal users can always sign in regardless of this setting.false

Supported identity providers

The following identity providers are supported:

How it works

The synchronization process works as follows:

  1. Configure SCIM in both your identity provider and Grafana
  2. Your identity provider sends SCIM requests to the Grafana SCIM API endpoint
  3. Grafana processes these requests to create, update, or deactivate users and teams, and synchronize team memberships

Comparison with other sync methods

Grafana offers several methods for synchronizing users, teams, and roles. The following table compares SCIM with other synchronization methods to help you understand the advantages:

Sync MethodUsersTeamsRolesAutomationKey BenefitsLimitationsOn-PremCloud
SCIM⚠️FullComplete user and team lifecycle management with automatic team creationRequires SAML authentication; uses Role Sync for basic roles
Team Sync⚠️PartialSyncs team memberships to existing teamsRequires manual team creation; no team lifecycle management
Active LDAP SyncFullBackground synchronization of LDAP usersLimited to LDAP environments
Role SyncFullFull automation of basic role assignmentLimited to basic roles only
Org Mapping⚠️FullFull automation of basic role assignment per organizationLimited to basic roles only; on-premises only⚠️

Key advantages

  • Comprehensive user and team automation: SCIM provides full automation for user and team provisioning, while role management is handled separately through Role Sync
  • Dynamic team creation: Teams are created automatically based on identity provider groups
  • Near real-time synchronization: Changes in the identity provider are reflected based on the provider synchronization schedule
  • Enterprise-ready: Designed for large organizations with complex user management needs

Next steps